本文介绍了arm trustzone监控模式开关设计的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

基本的世界切换流程是:

the basic world switch flow is:

将 FIQ 设置为监控模式

set FIQ to monitor mode

  1. 普通世界 -> FIQ 触发
  1. normal world -> FIQ triggered
  1. -> 进入监控模式(切换到安全世界,恢复安全世界上下文)
  2. -> 处于安全世界系统模式
  3. -> FIQ 不清楚,进入安全世界的 FIQ 处理程序

step3和step 4,在我们恢复目标上下文之后,arm会触发异常进入异常行为正确吗?(如果我们不分支到监控模式向量表中的 FIQ 句柄)

step3 and step 4, after we restore the target context,arm will trigger the exception to enter the exceptionis the behavior correct? (if we dont branch to FIQ handle in monitor mode vector table)

我们需要如下流程:(没有世界上下文切换的情况,直接进入monitor模式检查是否需要world switch,直接从monitor模式进入irq异常.我们需要这个是因为我们的硬件限制,我们芯片里只有IRQ)

we need flow like below:(no world context switch case, just enter monitor mode to check if we need world switch, and enter irq exception from monitor mode directly. we need this because of our hw limitation, we only have IRQ in our chip)

设置 IRQ 为监听模式

set IRQ to monitor mode

  1. 普通用户模式 ​​-> IRQ 触发
  1. normal world user mode -> IRQ triggered
  1. ->进入monitor,做一些我们想要hook的事情,检查我们是否需要上下文切换,为IRQ模式准备一些spsr/lr

  • -> 进入普通世界 IRQ 模式,IRQ 处理
  • -> irq 完成,返回用户模式
  • 对于non-world switch case,我们想让普通世界os不知道monitor模式,只是直接进入irq模式,然后从irq模式返回.对于世界切换案例,只需将其切换到监控模式即可.

    for non-world switch case, we would like to let the normal world os does not know about the monitor mode, just though he enters the irq mode directly and return from irq mode.for world switch case, just switch it in the monitor mode.

    或者它只是在监视器模式下执行 irq_handle?

    or it's just do the irq_handle in the monitor mode?

    等式
    正常世界操作系统 usr 模式 -> irq -> usr 模式
    正常世界操作系统 usr 模式 -> 监控到 irq 处理程序 -> usr 模式

    eq.
    normal world OS usr mode -> irq -> usr mode
    normal world OS usr mode -> monitor to irq handler -> usr mode

    流程是否可行且设计良好?

    is the flow possible and well design?

    推荐答案

    这是可能的.精心设计"是主观的.它有几个失败或非理想的问题.我猜你的系统没有 GIC;这是一个 trustzone 感知中断控制器.GIC 已存储寄存器,允许正常世界的操作系统(几乎)像在安全世界中一样使用它.

    It is possible. 'well designed' is subjective. It has several fails or non-ideal issues. I guess your system doesn't have a GIC; which is a trustzone aware interrupt controller. The GIC has banked registers which allow the normal world OS to use it (almost) as if it was in the secure world.

    从您的问题中不清楚您是否希望安全世界有中断?我猜从声明对于非世界开关案例......".如果您只有正常世界处理的中断,事情就很简单了.不要在 IRQ(或 FIQ)上分支到监视模式.有一个寄存器来设置这个行为(SCR/安全配置寄存器).

    It is not clear from you question whether you want the secure world to have interrupts? I guess from the statement 'for non-world switch case...'. If you only have interrupts handled by the normal world, things are simple. Don't branch to monitor mode on an IRQ (or FIQ). There is a register to set this behaviour (SCR/security configuration register).

    对于双世界中断情况,您有两个问题.

    For the dual world interrupt case, you have two issues.

    1. 您需要信任正常的世界操作系统.
    2. 中断延迟会增加.

    您必须始终在监控模式下接受中断.监视器必须检查中断控制器源以查看中断属于哪个世界.它可能需要根据世界进行世界切换.这会增加中断延迟.同样,正常世界和安全世界都将处理相同的中断控制器寄存器.因此,当多个中断驱动程序试图操作寄存器 (RMW) 时,您会遇到恶意的安全问题和非恶意的竞争条件.通常,如果您的芯片没有 GIC,但 CPU 支持 TrustZone,则您的系统还没有经过深思熟虑以供 TrustZone 使用.L1/L2 缓存控制器还必须能够识别 TrustZone,您也可能在那里遇到问题.

    You must always take the interrupt in monitor mode. The monitor must check the interrupt controller source to see what world the interrupt belongs to. It may need to do a world switch depending on the world. This will increase interrupt latency. As well, both the normal and secure world will be dealing with the same interrupt controller registers. So you have malicious security concerns and non-malicious race conditions with multiple interrupt drivers trying to manipulate registers (RMW). Generally, if your chip doesn't have a GIC, but the CPU supports TrustZone, the your system hasn't been well thought through for TrustZone use. The L1/L2 cache controllers must also be TrustZone aware and you possible have issue there as well.

    如果您有 Linux(或正常世界中的其他一些开源操作系统),最好将正常世界的中断驱动程序替换为虚拟"中断驱动程序.普通世界的虚拟 IRQ 代码将使用 SMC 指令来设置虚拟寄存器并为特定中断注册 IRQ 例程.安全世界/监视器 IRQ 代码然后将直接分支到解码的 IRQ 例程.

    If you have Linux (or some other open source OS in the normal world), it would be better to replace the normal world interrupt driver with a 'virtual' interrupt driver. The normal world virtual IRQ code would use the SMC instruction to set virtual registers and register IRQ routines for specific interrupts. The secure world/monitor IRQ code would then branch directly to the decoded IRQ routine.

    使用 GIC,使用 GICC_CTLRgroup 0(安全世界)中断设置为 FIQ,将 group 1(正常世界)中断设置为 IRQ> 位 FIQEnb.即,您使用 GIC 中的 DIST 将中断分类为安全或正常(因此为 FIQ/IRQ).

    With a GIC, set the group 0 (secure world) interrupts as FIQ and group 1 (normal world) as IRQ using the GICC_CTLR bit FIQEnb. Ie, you classify the interrupts with the DIST in the GIC to be either secure or normal (and therefore FIQ/IRQ).

    您必须解决调度问题以及您希望不同操作系统如何抢占先机.通常(最简单的)是始终运行安全操作系统,但这意味着某些 Linux(正常世界)中断可能会被安全世界 (RTOS) 主线代码延迟很大.

    You have to work through scheduling issues and how you want the different OS's to pre-empt. Normally (easiest) is to always have the secure OS running, but this means that some Linux (normal world) interrupts may be very delayed by the secure world (RTOS) main line code.

    这篇关于arm trustzone监控模式开关设计的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

    07-08 08:14
    查看更多